On Sat, Aug 10, 2019 at 10:03:38AM +0200, Hugo Lefeuvre wrote:
> Hi,
>
> I am taking a look at clamav's zip bomb issue[0] in jessie. This issue is
> no-dsa in buster/stretch: "ClamAV is updated via -updates".
>
> What is this -updates mechanism? I might have missed something, does clamav
> have an auto-update mechanism?
It's what used to be volatile some years ago. ClamAV is only getting updated
via -updates as it can't reasonably be part of a regular stable release; new
malware signatures provided via FreshClam sometimes require new engine features
so it needs to be kept up with current upstream. It's still present on the
install media, but the idea is that by means of -updates it's ensured that
always the latest version is present without waiting for the next point release.
Cheers,
Moritz
